Progress Application Server for OpenEdge: Administration Guide (SECURED) handbook,
on page81, chapter :
Configuring PAS for OpenEdge for SSL/TLS
describes these steps to secure HTTPS security for server, by using SSL...
3. Submit MyCert.pk10, the public key file, to a CA in order to request an SSL certificate. The CA returns both a private and a public (or ROOT) SSL certificate. The certificates are files, usually with either a .crt or a .cer extension. In this example, we'll call the files MyCertPriv.cer and MyCertPub.cer 4. When the SSL certificates are received from the CA, copy them to the OpenEdge-Install-Dir\keys\requests directory. 5. Generate a Privacy Enhance Mail (.pem) formatted file from the private SSL certificate (named MyCertPriv.cer in these examples) obtained from a CA. A PEM file is an encrypted file that contains key store information. You use the OpenEdge PKIUTIL command-line utility to generate the PEM file. You can find more information about the syntax and usage of PKIUTIL in OpenEdge Getting Started: Installation and Configuration. a) In PROENV, change directory to the PAS for OpenEdge instance's/conf directory. For example: proenv> cd C:\MyInstance\conf b) Use the -import option of PKIUTIL to generate the PEM file from the private SSL certificate. For example: proenv> pkiutil -import MySSLPrivKey OpenEdge-Install-Dir\keys\requests\MyCertPriv.cer Note: MySSLPrivKey is the stem filename of the PEM file that will be generated from MyCertPriv.cer. c) When prompted enter the password you used when you created the keystore (i.e. the .pk1 file) in Step 2 on page 83.
I get confused, as chatting with sectigo CA (former comodo) support they inform (and I could see) that
the *.crt file they sent, is already in PEM format.
On previous steps, STEP 5 should be done no matter the cert is alread PEM, or this sentence is missing somethig
like "in case you get certificate in binary form, generat a PEM...."???
Also, this step gets out of nowhere a reference to "MySSLPrivKey" which is not clear where did it came from..
I know it clearly says:
Note: MySSLPrivKey is the stem filename of the PEM file that will be generated from MyCertPriv.cer.
but following instruction on creating this MySSLPrivKey file, gets an error :
C:\Progress\OpenEdge\keys\requests>pkiutil -import MySSLPrivKey servicios_sucahersa_com.crt A private key for keystore entry MySSLPrivKey does not exist
Assuming that I should avoid that step, as certificate is already on PEM format, go on to next steps to
Configuring a PAS for OpenEdge instance for SSL/TLS
Step 2 says to execute:
proenv> cd C:\MyInstance\conf proenv> sslc pkcs12 -export C:\Progress\OpenEdge\keys\V.pem -out tomcat-keystore.p12 -name mysslprivkey
the "C:\Progress\OpenEdge\keys\V.pem" parts is a typo? I don´t have that file on my server... I know
clearly we are digesting the previous confusing file in PEM format already , but on executing sslc, I get:
C:\home\appsch\conf>sslc pkcs12 -export c:\progress\openedge\keys\requests\servicios_sucahersa_com.crt -out tomcat-keystore.p12 -name sch-ssl pkcs12: Use -help for summary. C:\home\appsch\conf>
I checked documentation and it is 11.7 indeed, same as my platform...
So this far, and haven't being able to secure server (pasoe 11.7.5)...
Any tougths?
This link goes to the extreme of over simplifying the issue... so which one to follow?
"Configuring PAS for OpenEdge for SSL/TLS" is the one to follow for PASOE.
knowledgebase.progress.com/.../P109432 - this is for classic appserver.
documentation.progress.com/.../index.html - this is for securing OE Management, nothing to do with PASOE.
There is definitely something wrong with the instructions in "Configuring PAS for OpenEdge for SSL/TLS".
I'm looking into this now and will respond with my findings.
Apologies for the delay. There are definitely issues with the documentation, which I will followup with our documentation team.
I think this article describes the process best for PASOE. I tried this out with a self-signed certificate and it worked for me.
knowledgebase.progress.com/.../How-to-configure-and-test-a-PASOE-instance-for-secure-communications
Really thanks!!!!
I'm checking the article you post, and comment afterwards.!
Thanks!!!!